I’‘ve been trying to get a certificate signed by CAcert. However, while following the instructions from the SSL guide, CAcert always rejects the CSR. I’‘m generating the keystore and CSR using keytool. The error CAcert gives me is that the common name is blank, or the domain isn’‘t verified. Well, my domain is verified, and the common name isn’‘t blank, so I’'m chalking this up to a possible incompatibility with the way Java handles the keys and what CAcert expects. Most of their stuff uses OpenSSL for examples.
So, has anyone else done this successfully? Thanks!
For some weird reason, that link has a %20 in it and I can’‘t get it to go away. Anyway, it’'s the SSL guide available in the documentation section for Wildfire.
Nope, I’‘ve not figured it out, though I haven’‘t messed with it lately. It’‘d be really nice if Wildfire would use (or at least work with) OpenSSL certs instead of the keytool stuff. I’‘ve also found tutorials for converting from keytool to OpenSSL, but not the other way around (at least, I think that’‘s what it was… it didn’'t solve the problem for me.)
For clarity, you should receive “Certificate reply was installed in keystore” when you do the import. And the only keys you should delete are the default “rsa” and “dsa” self-signed keys.
One minor update. If you leave the self-signed in place, it will happily serve it (which results in all the usual warnings about having a self-signed cert.) And keytool -export -rfc | openssl x509 -text shows an interesting difference. The self-signed is sigalg md5WithRSAEncryption, the cacert sig is sha1WithRSAEncryption. Not sure if that matters or not, but there it is. Otherwise (to my untrained eye at least) they look the same.
Updated again, after running through the steps myself and having them work.
Also note that cacert.org certs, for some reason, always seem to start “a little in the future”, so the cert will not immediately work. Psi will tell you exactly when the certificate will begin being valid.
Yes! The -dname “CN=common.name.foo” is what I was missing, as well as importing the root certificate (I never got that far on the server, though I imported it on my own machine at home). Hooray for jadestorm! I now have a working, CAcert-signed certificate as well!
Earlier today, I figured out a way to use OpenSSL and keytool to import a self-cert. No need to use CACert. I will post a new thread with the details by tomorrow evening.
//Delphicoder
Update **
The method I mentioned above was simply to give the openssl self-cert method a try. It seems like most people will opt to request one from CACert, so I won’'t be posting any further details.
Were you unable to do it following the instructions in the Wildfire SSL HOWTO? It tells you how to generate a self-signed certificate. Or were you trying to move over an existing one?
The whole point of using CAcert is to have someone else sign your certificate. CAcert just happens to be a free certificate authority. They’'re not accepted by default in mainstream browsers at the moment (due to expensive fees for silly, meainingless certifications), but you can easily add their root certificate to your browser and such to have it trust CAcert-signed sites.
That was what I was missing - I was loading them in the wrong order (or not at all) and deleting the private key. Way to go, it works like a champ
If you have gaim (or gaim-derived) clients, you will need to also generate an rsa key. (Symptoms include gaim crashing without warning if tls or ssl is enabled.) Just repeat the -genkey through -import, with -keyalg rsa added to genkey (and a new alias - I just used jabber-dsa and jabber-rsa.)
Just a quick fair warning to others. =) It appears to be required that you use at least jdk 1.5.0 (aka 5.0?) to use rsa. Otherwise you will get an error similar to:
That problem might not be version-related specifically. If you get this error, you might try installing the unlimited-strength crypto package from http://java.sun.com/j2se/1.5.0/download.jsp. (Be sure to make sure its legal where you are.)
Oh, and (if that doesn’'t work) maybe 1.5 should be listed as a minimum version for ssl, given that gaim-derived clients seem to be in the majority out ‘‘in the world’’ (as opposed to enterprises where you can choose a single client that works.)
maybe the only difference between the people with working cacert certificates and non-working cacert certificates is that the people with the working ones are fully assured by cacert? could there be any difference beyond the certificate lifetime when you are “fully assured” ?
i followed your steps exactly (generated and imported nice dsa and rsa cacert certificates and the root cert… everything went fine & without errors), the only remaining problem is, that i am getting the errors mentioned in the thread above.
at org.jivesoftware.wildfire.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread.j ava:146)
2006.09.30 12:28:20 org.jivesoftware.wildfire.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread.ja va:168) Kann SSL-Socket nicht einrichten
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
any hints?
i am really looking forward getting this up & running one day